alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Potential Palevo executable download, executable purporting to be different file"; flowbits:isset,ET.hidden.exe; flow:established,from_server; content:"|0d 0a 0d 0a|MZ"; content:"This program"; within:120; classtype:trojan-activity; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-072313-3630-99; reference:url,doc.emergingthreats.net/2010504; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Mariposa; sid:2010504; rev:2;)

Added 2009-12-17 10:15:43 UTC

This appears to be triggered by legitimate cases of Malwarebytes' Anti-Malware updates. For example, in response to a request like this, the first packet of the binary fires off the rule:

GET /program/mbam-setup.exe HTTP/1.1.

User-Agent
mbam - 1.41.
Host
mbam-cdn.malwarebytes.org.
Cache-Control
no-cache.
Three of my sites where I know they use MalwareBytes? are triggering this one.

-- KevinBranch - 18 Dec 2009

This also appears to fire on traffic from an HP scanner utility to it's update/ad server @ 15.201.8.54

-- FrankEargle - 04 Jan 2010


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Potential Palevo executable download, executable purporting to be different file"; flowbits:isset,ET.hidden.exe; flow:established,from_server; content:"|0d 0a 0d 0a|MZ"; content:"This program"; within:120; classtype:trojan-activity; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-072313-3630-99; reference:url,doc.emergingthreats.net/2010504; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Mariposa; sid:2010504; rev:2;)

Added 2009-12-17 10:15:43 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Potential Palevo executable download, executable purporting to be different file"; flowbits:isset,ET.hidden.exe; flow:established,from_server; content:"|0d 0a 0d 0a|MZ"; content:"This program"; within:120; classtype:trojan-activity; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-072313-3630-99; sid:2010504; rev:1;)

Added 2009-12-16 13:02:17 UTC


Topic revision: r3 - 2010-01-04 - FrankEargle
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats